Church Website Ideas
  • Web Design
  • Web Content
  • Web Security
  • Web Traffic
  • Tools & Resources
  • Perspectives
WORDPRESS SECURITY ALERT: Widespread XSS Vulnerability Exists

WORDPRESS SECURITY ALERT: Widespread XSS Vulnerability Exists

By: Grace McCrorie|Posted in: Web Security

WordPress Security Alert For Churches

UPDATE: This WordPress security alert is a general community announcement for all churches using WordPress version 4.2 and earlier to run their website.

Anyone running a website on WordPress version 4.2 and earlier should be made aware of this problem, and must take immediate action to ensure their site is secure.

In “geek speak”, a cross-site scripting, or XSS, vulnerability affecting multiple WordPress themes and plugins exists.

In simple terms, a WordPress security threat exists that could potentially be used by attackers to gain unauthorized access to your Web pages or entire website.

What is Cross-site Scripting?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner. —Source: Wikipedia

This Cross-site Scripting Wikipedia article includes simple examples of different kinds of attacks and things an attacker could accomplish if successful in exploiting this vulnerability. It’s definitely an eye-opening read.

What should you do?

This WordPress security vulnerability is widespread, so it’s impossible to know precisely which themes and plugins have been affected.

An April 20, 2015 WordPress security advisory on the Sucuri Blog advises users to do the following:

  • Keep your site updated
  • Restrict access control
  • Monitor your logs
  • Use only plugins you need
  • Scan your site for indicators of compromise
  • Put a system in place to block the most common forms of XSS exploits

Immediate action I’m taking

I’m sure to apply updates to our theme and plugins as soon as they’re released, so we’re good there. So, here’s what I’ll be doing right away:

  1. Installing and running Sucuri’s WordPress security plugin
  2. Checking my church’s theme and plugin changelogs (yes, each and every one) to determine if and when the plugin was updated against this vulnerability
  3. Deactivating and uninstalling any plugins we do not use or that aren’t absolutely necessary for running our website

Then, I’ll continue to do what I’ve been doing: keeping an eye on logs, restricting access, performing weekly backups, applying updates immediately, and generally do all I can to keep our church’s website safe and stay ahead of threats.

For further reading

Cross-scripting article on Wikipedia

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Joost de Valk (Yoast): Security Updates For Our GA and SEO Plugins & Many Others

WP Tavern: XSS Vulnerability Affects More Than a Dozen Popular WordPress Plugins

No related posts found

May 7, 2015 Grace McCrorie

About the author

Grace McCrorie

Grace McCrorie is a professional Web worker who's passionate about the Church online and Wordpress. You can connect with Grace here and on Twitter.

Boost Church Website Security By Updating WordPress →

3 Responses to WORDPRESS SECURITY ALERT: Widespread XSS Vulnerability Exists

  • Eric Dye May 6, 2015

    Great heads-up! Thank you. 🙂

    Log in to Reply
    • Grace McCrorie May 6, 2015

      My pleasure, Eric!

      Log in to Reply
  • Church Tech Snack Pack #071 - ChurchMag May 8, 2015

    […] WORDPRESS SECURITY ALERT: Widespread XSS Vulnerability Exists Heads-up, yo. […]

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment

Copyright © A Bright I Creative LLC | All Rights Reserved | Powered by Wordpress + Striking by KaptinLin
About Church Website Ideas | Revenue/Affiliate Disclosure
This website uses cookies to improve your experience. If you continue using the website, I'll assume you're ok with this, but you can opt-out if you wish. Accept Reject Learn More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT